Krasimir Konov, a malware analyst at Sucuri, has reported a persistent crusade of malicious script injection into compromised WordPress websites. This campaign takes advantage of known vulnerabilities in WordPress themes and plugins and has affected a vast number of websites throughout the year.
The standard procedure is to contaminate files like jquery.min.js and jquery-migrate.min.js with obfuscated JavaScript that fires on every page load, allowing the attacker to redirect website visitors to a destination of their choosing.
The website security company said domains at the end of the redirect chain could be used to load ads, phishing pages, malware, or even trigger another set of redirects.
In some cases, unsuspecting users are taken to a fake redirect landing page that contains a fake CAPTCHA check, and clicking it displays unwanted advertisements that are disguised to seem to come from the operating system and not from a browser. Web navigator.
The campaign, a follow-up to another wave detected final month, is believed to have affected 322 websites so far, since May 9. The set of April attacks, in the meantime, has compromised more than 6,500 websites.
All of the websites shared a common problem: malicious JavaScript had been injected into the website and database files, including lega WordPress core files, such as:
./wp-includes/js/jquery/jquery.min.js
./wp-includes/js/jquery/jquery-migrate.min.js
Once the website was compromised, the attackers attempted to automatically infect any .js files with jQuery in the names. They injected code that starts with “/* trackmyposs*/eval(String.fromCharCode…”
However, it was clear that the attackers had taken some steps to evade detection and obfuscated their malicious JavaScript with CharCode.
From the perspective of a site visitor, they will simply see the next page of malware before reaching the last destination. This page tricks unsuspecting users into subscribing to push notifications from the malicious site. Whether they click on the fake CAPTCHA, they will be signed up to get unwanted ads even when the site is not open, and the ads will appear to come from the operating system, not a browser.